Mora_001 attack chain deploys SuperBlack ransomware for double extortion
The Mora_001 threat actors use CVE-2024-55591 or CVE-2025-24472 to make initial access and gain “super_admin” privileges within the FortiOS appliance. The attackers create new privileged accounts with names including “forticloud-tech,” “fortigate-firewall” and “administrator [sic].”Also observed was the creation of an account with the username “watchTowr,” which was later deleted, showing that the attacker leveraged the available PoC exploit in their attack.For firewalls with VPN capabilities, the attackers created local user accounts that copied the names of legitimate users but with the addition of one number at the end, helping to evade detection and maintain persistence access.For firewalls without VPN capabilities, the threat actor used high availability (HA) configuration propagation or abuse of authentication infrastructure such as the Remote Authentication Dial-In User Service (RADIUS) to compromise other firewalls on the network.The HA functionality allows the configuration of one firewall to be synchronized to others within the same cluster, allowing a compromised configuration to be replicated across the network along with Mora_001’s backdoored accounts.Mora_001 also leveraged access to several FortiGate dashboards, including the status, security, network, users & devices and WiFi dashboards, to gather additional intelligence and identify avenues for lateral movement, and used the VPN Brute v1.0.2 tool to attempt to brute force additional firewall accounts.The attackers prioritized file servers, authentication servers, domain controllers, database servers and other high-value targets for lateral movement to maximize the impact of their encryption and double extortion.They primarily utilized Windows Management Instrumentation (WMIC) for remote system discovery and execution and used SSH to access additional systems, according to Fortinet.A custom data exfiltration tool unique to the SuperBlack ransomware variant was deployed prior to encryption and a wiper tool was utilized after encryption to remove evidence of ransomware executable. A ransom note was also left behind by the attacker.
SuperBlack’s complex connections to LockBit, other ransomware groups
As noted, SuperBlack is a variant of the LockBit 3.0 builder, also known as LockBit Black, which was leaked in 2022. The SuperBlack ransom note is nearly identical to that of the LockBit 3.0 template but with all LockBit branding removed.However, Forescout researchers noted that the TOX chat ID included in the ransomware note is still linked to LockBit, suggesting that Mora_001 may be a former affiliate or sharing some LockBit infrastructure. Despite this, the unique customization of SuperBlack sets this threat actor apart from typical LockBit affiliates.Forescout also noted potential connections to other ransomware groups; the wiper component, which Forescout calls WipeBlack, has been used in previous ransomware attacks linked to LockBit and BrainCipher. BrainCipher itself has ties to additional groups known as SenSayQ, EstateRansomware and RebornRansomware.The researchers also identified a SuperBlack sample with an import hash previously associated with LockBit and another strain called BlackMatter.“Mora_001’s relationship to the broader LockBit’s ransomware operations underscore the increased complexity of the modern ransomware landscape – where specialized teams collaborate to leverage complementary capabilities,” the Forescout researchers wrote.
Recommended mitigations for SuperBlack ransomware
Immediate patching of the Fortinet zero-days is key to preventing exploitation, according to Shadowserver, more than 31,000 FortiGate instances remain exposed, including more than 7,600 in the United States. Users are also advised by Forescout to disable external management access to their firewalls and VPNs whenever possible and regularly audit admin accounts to identify and remove any unknown users.Mora_001 was observed using automated scripts to probe for vulnerabilities and maintain persistence, so administrators should also check for suspicious automation tasks running on their systems.
